NINJIO COMPLIANCE
NINJIO has developed an original 4-episode series on PCI compliance as it relates to the end user. As with all NINJIO episodes, the series is presented through engaging, Hollywood-style storytelling. These episodes are inspired by the largest credit card breach in history. Additionally, NINJIO has created a fourth PCI-related episode that specifically addresses “card-handling.”
WHO BENEFITS?
NINJIO PCI targets any users who have access to credit card data or handle credit cards as part of their day-to-day responsibilities.
PCI TRAILER
EPISODE 4
CARD HANDLING
With the number of restaurants and retail employees handling credit cards daily, our fourth PCI compliance episode is intended as a “stand-alone” focusing exclusively on “card-handling.” If you only need to train your front line people on card handling, this episode would suffice.
WHAT’S COVERED IN THE 4-EPISODE SERIES:
REQUIREMENT 1.4
Install firewall software or equivalent protections on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the cardholder data environment (CDE).
This requirement applies to employee-owned and company-owned portable computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit. Allowing untrusted systems to connect to an organization’s CDE could result in access being granted to attackers and other malicious users.
REQUIREMENT 4.2
Never send unprotected primary account numbers (PANs) by end user messaging technologies (for example, email, instant messaging, SMS, chat, etc.).
REQUIREMENT 5.1
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers). Note: this applies to any employee-owned devices that are allowed on the network and not managed under an Master data management (MDM) program.
REQUIREMENT 5.3
Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users unless specifically authorized by management.
REQUIREMENT 7.1
Limit access to system components and cardholder data to employees whose job requires such access.
REQUIREMENT 9.7
Maintain strict control over the storage and accessibility of media.
REQUIREMENT 9.8 to 9.81
Destroy media when it is no longer needed for business or legal reasons.
Examine the periodic media destruction policy and verify that it covers all media and defines requirements.
Hard copy materials must be crosscut shredded, incinerated, or pulped so there is reasonable assurance the hard copy materials cannot be reconstructed period.
REQUIREMENT 9.9
Protect devices that capture payment card data from tampering and substitution.
REQUIREMENT 11
Regularly test security systems and processes.
REQUIREMENT 12.6
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.